js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.
History

Wed, 15 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat hummingbird
Weaknesses CWE-606
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

threat_severity

Important


Thu, 09 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Nodeca
Nodeca js-yaml
Vendors & Products Nodeca
Nodeca js-yaml

Wed, 08 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Description js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.
Title js-yaml: YAML merge-key chains can force quadratic CPU consumption
Weaknesses CWE-407
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-07-08T15:15:54.675Z

Updated: 2026-07-09T15:14:29.753Z

Reserved: 2026-07-07T15:41:53.607Z

Link: CVE-2026-59869

cve-icon Vulnrichment

Updated: 2026-07-09T15:14:24.071Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-08T15:15:54Z

Links: CVE-2026-59869 - Bugzilla